Protiviti study on IT auditing raises more questions than it answers
There’s a new Protiviti study. Their 2011 IT Audit Benchmarking Survey summarizes the input from nearly 500 professionals and makes a number of observations.
Before getting into those observations, I have a couple of my own:
- The report talks about IT risks – but there is no such thing as an IT risk, only business risks due to a failure of technology. These days, talking separately (from business auditing) about IT audit and IT risks is somewhat ‘old-fashioned’. Companies are now talking more about business risk and the role of IT as both an enabler of solutions and a source of issues. The trend is towards building an audit plan that addresses those business risks and will probably have fewer pure IT audits as a result.
- Most of the issues raised in the report (such as the fact that auditors struggle to keep up with technology) are ages-old. I have been in the profession since 1980 and they were problems then!
Here are their “key trends and takeaways”, with my comments.
“The growth and prevalence of technology throughout most operations in a company are outpacing the assessment, management and monitoring of related IT risks.”
- This has been the case since man discovered fire – and the risk of burns came later
- The report did not address whether IT auditors are involved in change projects, whether these are major new ERP implementations, moving infrastructure or applications to the crowd, or the embracing of social media and mobile. Maybe that can be included in the next survey
“IT risks do not garner nearly enough attention in organizations today, and in small companies in particular.”
- IT is a source of business risk, not a risk in-and-of-itself. The study, I think, should have considered whether the internal audit function was looking at business risks – and considering the IT impact as part of that activity
- The Protiviti statement may or may not be correct. Intuitively, as an IT auditor since (it seems) the dawn of computing, I think it is probably correct. But, the level of resources allocated to IT issues should be commensurate with the level of risk and balanced against the need to address other sources of risk.
- In smaller companies (especially), the auditor has to take on all aspects of risk – including IT-related issues. He may be supplemented with co-sourcing.
“A large percentage of companies are not complying with IIA Standard 2110.A2, which requires the internal audit function (usually through IT audit) to assess whether the organization’s information technology governance sustains and supports its strategies and objectives.”
- A large part of IT governance activities may be included as part of the audits of IT general controls (which the study shows is allocated a large level of resources).
- Even though the Standards require this, a risk-based planning exercise may have identified this as a lower risk area – and it would have been appropriate, therefore, not to include it in the plan.
- The main standard here, 2110, requires internal audit to assess governance processes in general. That is even more of a problem (fewer assess and report on more than a couple of governance processes) than IT governance.
“Many organizations do not have the requisite skills and capabilities to assess their key IT risks adequately.”
- See above. There is no such thing as an IT risk, let alone a key IT risk. And, keeping up with technology is a problem for the ages.
“A surprisingly large number of organizations fail to conduct an annual IT risk assessment.”
- Good! They should be assessing business risk and not IT risk.
- Good! It should be a continuing and not an annual process.
“IT audit functions in North America invest significantly more time on compliance-related activities than these functions do in other regions of the world.”
- That may or may not be OK. It all depends on where a business risk-based audit program says the resources should be spent.
What do you think? I would appreciate your comments.
Recent Posts on this Blog
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- Leading an effective information security capability September 4, 2016
- Have your provided comments on the COSO ERM draft? August 31, 2016
- How to do your internal audit risk assessment August 27, 2016
- Do techies really understand cyber risk? August 20, 2016
- Continuing to learn about culture from Toyota August 13, 2016
- The danger of an arrogant board August 7, 2016
- The Board and Technology: Questions to ask the management team July 31, 2016
- IIA Insights on Internal Audit Effectiveness July 22, 2016
- Deloitte predicts change for Internal Audit July 20, 2016
- Risk and Opportunity Management July 2, 2016
- Risk reporting to the Board June 26, 2016
- We need to review and provide feedback on the COSO ERM Exposure Draft June 19, 2016
- Fraud, Abuse, and Corruption September 26, 2016
- Reconsidering the Board: Its Composition and Oversight of Management September 19, 2016
- Time for the Board to Take a Deep Dive Into Risk Management and Risks September 12, 2016
- Oversight of the External Auditor September 6, 2016
- Signs of a Failing Board August 29, 2016
- Contrasting Comments on Internal Audit From a CAE and a Consultant August 23, 2016
- Asking the Tough Questions About Internal Audit August 15, 2016
- When Risk Management Fails August 8, 2016
- An Internal Audit Ambition Model August 1, 2016
- Understanding and Assessing Governance Risk July 25, 2016